---
page_title: "cloudflare_access_group Resource - Cloudflare"
subcategory: ""
description: |-
  Provides a Cloudflare Access Group resource. Access Groups are used
  in conjunction with Access Policies to restrict access to a
  particular resource based on group membership.
---

# cloudflare_access_group (Resource)

Provides a Cloudflare Access Group resource. Access Groups are used
in conjunction with Access Policies to restrict access to a
particular resource based on group membership.

~> It's required that an `account_id` or `zone_id` is provided and in
   most cases using either is fine. However, if you're using a scoped
   access token, you must provide the argument that matches the token's
   scope. For example, an access token that is scoped to the "example.com"
   zone needs to use the `zone_id` argument.

## Example Usage

```terraform
# Allowing access to `test@example.com` email address only
resource "cloudflare_access_group" "example" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  name       = "staging group"

  include {
    email = ["test@example.com"]
  }
}

# Allowing `test@example.com` to access but only when coming from a
# specific IP.
resource "cloudflare_access_group" "example" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  name       = "staging group"

  include {
    email = ["test@example.com"]
  }

  require {
    ip = [var.office_ip]
  }
}

# Allow members of an Azure Group. The ID is the group UUID (id) in Azure.
resource "cloudflare_access_group" "example" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  name       = "test_group"

  include {
    azure {
      identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
      id                   = ["86773093-5feb-48dd-814b-7ccd3676ff50"]
    }
  }
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `include` (Block List, Min: 1) (see [below for nested schema](#nestedblock--include))
- `name` (String)

### Optional

- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`. **Modifying this attribute will force creation of a new resource.**
- `exclude` (Block List) (see [below for nested schema](#nestedblock--exclude))
- `require` (Block List) (see [below for nested schema](#nestedblock--require))
- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.

### Read-Only

- `id` (String) The ID of this resource.

<a id="nestedblock--include"></a>
### Nested Schema for `include`

Optional:

- `any_valid_service_token` (Boolean)
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
- `auth_method` (String)
- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
- `certificate` (Boolean)
- `common_name` (String)
- `device_posture` (List of String)
- `email` (List of String)
- `email_domain` (List of String)
- `everyone` (Boolean)
- `external_evaluation` (Block List, Max: 1) (see [below for nested schema](#nestedblock--include--external_evaluation))
- `geo` (List of String)
- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
- `group` (List of String)
- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
- `ip_list` (List of String) The ID of an existing IP list to reference.
- `login_method` (List of String)
- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
- `service_token` (List of String)

<a id="nestedblock--include--auth_context"></a>
### Nested Schema for `include.auth_context`

Required:

- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
- `identity_provider_id` (String) The ID of the Azure Identity provider.


<a id="nestedblock--include--azure"></a>
### Nested Schema for `include.azure`

Optional:

- `id` (List of String) The ID of the Azure group or user.
- `identity_provider_id` (String) The ID of the Azure Identity provider.


<a id="nestedblock--include--external_evaluation"></a>
### Nested Schema for `include.external_evaluation`

Optional:

- `evaluate_url` (String)
- `keys_url` (String)


<a id="nestedblock--include--github"></a>
### Nested Schema for `include.github`

Optional:

- `identity_provider_id` (String)
- `name` (String)
- `teams` (List of String)


<a id="nestedblock--include--gsuite"></a>
### Nested Schema for `include.gsuite`

Optional:

- `email` (List of String)
- `identity_provider_id` (String)


<a id="nestedblock--include--okta"></a>
### Nested Schema for `include.okta`

Optional:

- `identity_provider_id` (String)
- `name` (List of String)


<a id="nestedblock--include--saml"></a>
### Nested Schema for `include.saml`

Optional:

- `attribute_name` (String)
- `attribute_value` (String)
- `identity_provider_id` (String)



<a id="nestedblock--exclude"></a>
### Nested Schema for `exclude`

Optional:

- `any_valid_service_token` (Boolean)
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
- `auth_method` (String)
- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
- `certificate` (Boolean)
- `common_name` (String)
- `device_posture` (List of String)
- `email` (List of String)
- `email_domain` (List of String)
- `everyone` (Boolean)
- `external_evaluation` (Block List, Max: 1) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
- `geo` (List of String)
- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
- `group` (List of String)
- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
- `ip_list` (List of String) The ID of an existing IP list to reference.
- `login_method` (List of String)
- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
- `service_token` (List of String)

<a id="nestedblock--exclude--auth_context"></a>
### Nested Schema for `exclude.auth_context`

Required:

- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
- `identity_provider_id` (String) The ID of the Azure Identity provider.


<a id="nestedblock--exclude--azure"></a>
### Nested Schema for `exclude.azure`

Optional:

- `id` (List of String) The ID of the Azure group or user.
- `identity_provider_id` (String) The ID of the Azure Identity provider.


<a id="nestedblock--exclude--external_evaluation"></a>
### Nested Schema for `exclude.external_evaluation`

Optional:

- `evaluate_url` (String)
- `keys_url` (String)


<a id="nestedblock--exclude--github"></a>
### Nested Schema for `exclude.github`

Optional:

- `identity_provider_id` (String)
- `name` (String)
- `teams` (List of String)


<a id="nestedblock--exclude--gsuite"></a>
### Nested Schema for `exclude.gsuite`

Optional:

- `email` (List of String)
- `identity_provider_id` (String)


<a id="nestedblock--exclude--okta"></a>
### Nested Schema for `exclude.okta`

Optional:

- `identity_provider_id` (String)
- `name` (List of String)


<a id="nestedblock--exclude--saml"></a>
### Nested Schema for `exclude.saml`

Optional:

- `attribute_name` (String)
- `attribute_value` (String)
- `identity_provider_id` (String)



<a id="nestedblock--require"></a>
### Nested Schema for `require`

Optional:

- `any_valid_service_token` (Boolean)
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
- `auth_method` (String)
- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
- `certificate` (Boolean)
- `common_name` (String)
- `device_posture` (List of String)
- `email` (List of String)
- `email_domain` (List of String)
- `everyone` (Boolean)
- `external_evaluation` (Block List, Max: 1) (see [below for nested schema](#nestedblock--require--external_evaluation))
- `geo` (List of String)
- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
- `group` (List of String)
- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
- `ip_list` (List of String) The ID of an existing IP list to reference.
- `login_method` (List of String)
- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
- `service_token` (List of String)

<a id="nestedblock--require--auth_context"></a>
### Nested Schema for `require.auth_context`

Required:

- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
- `identity_provider_id` (String) The ID of the Azure Identity provider.


<a id="nestedblock--require--azure"></a>
### Nested Schema for `require.azure`

Optional:

- `id` (List of String) The ID of the Azure group or user.
- `identity_provider_id` (String) The ID of the Azure Identity provider.


<a id="nestedblock--require--external_evaluation"></a>
### Nested Schema for `require.external_evaluation`

Optional:

- `evaluate_url` (String)
- `keys_url` (String)


<a id="nestedblock--require--github"></a>
### Nested Schema for `require.github`

Optional:

- `identity_provider_id` (String)
- `name` (String)
- `teams` (List of String)


<a id="nestedblock--require--gsuite"></a>
### Nested Schema for `require.gsuite`

Optional:

- `email` (List of String)
- `identity_provider_id` (String)


<a id="nestedblock--require--okta"></a>
### Nested Schema for `require.okta`

Optional:

- `identity_provider_id` (String)
- `name` (List of String)


<a id="nestedblock--require--saml"></a>
### Nested Schema for `require.saml`

Optional:

- `attribute_name` (String)
- `attribute_value` (String)
- `identity_provider_id` (String)

## Import

Import is supported using the following syntax:

```shell
$ terraform import cloudflare_access_group.example <account_id>/<group_id>
```
